https://mimesniff.spec.whatwg.org/#json-mime-type defines JSON MIME Types as:

• application/json
• text/json
• */*+json

But I'm wondering whether it's better to limit the third case to application/*+json or something, or not, mainly in the context of JSON modules.

pros:

• The current browser implementations don't seem to consider all */*+json MIME types as JSON. JSON MIME types are used in https://html.spec.whatwg.org/C/#process-a-navigate-response, and thus navigations to responses with JSON MIME types should be like navigating to text page (e.g. text/plain page), but according to draft WPT ([TEST] Test MIME Types + navigation web-platform-tests/wpt#20169):
  • Following JSON MIME types are rejected (i.e. trigger download instead of navigation) on Firefox:
    • application/*+json
    • text/*+json
  • Following JSON MIME types are rejected on Firefox and Chromium:
    • All other */*+json
• As JSON modules is a fairly new feature, it might be worth considering to setting stricter restriction on MIME types (just like module scripts have stricter MIME type restriction than classic scripts).

cons:

• The current spec is aligned with how XML MIME Types are defined, i.e. including */*+xml in RFC7303, and the rationale behind it: https://tools.ietf.org/html/rfc7303#appendix-A.
  • Similarly, all */*+xml MIME Types don't seem considered as XMLs by the current browsers, according to the draft WPT above though.

WDYT?